|
Listen to this story
|
Google’s handling of user data has long been a subject of concern for data privacy enthusiasts. While the tech giant has undergone a comparatively low number of data breaches in recent history, its hold over the Android platform allows them to harvest an unprecedented amount of data.
Now, Google is taking more steps to ensure the collection of user data across non-mobile devices as well. Recently, a netizen found that Google has changed their domain structures to include all their services under one parent domain. This means that any permissions given by the user for one google service, such as Google Maps, extend to all Google services under the domain.
To understand why this is a serious privacy concern for users, we must first look at how domains work. There are two types of web directory management systems: subdomains and subdirectories.
Subdomains are treated as children of the parent domain, but they exist outside the main domain within a disparate partition. Subdirectories, on the other hand, are treated as part of the main domain as they are nothing but a page under the domain.
For instance, Google was previously using a subdomain for Google Maps, as seen by its URL ‘maps.google.com’.
Now, they have switched to using a subdirectory, with the URL changing to ‘google.com/maps’.
This means that the permission pop-up that appears when a website is trying to access the user’s camera, mic, or location, only needs to be accepted once across Google’s vast range of services. Then, Google can use these permissions for all their services without having to ask the users again.
As shown below, the user’s mic can be accessed from the Google search page, with camera permissions being granted from Google Meet. Location access can be granted through Google Maps, and this is likely to allow the search engine to track the user’s location even if they have not specifically given permission for it, or other applications.
This skirts the line of legality when it comes to prominent data protection regulations like the GDPR and the American Data Privacy and Protection Act.
The GDPR states that the provider’s privacy policy clearly mentions an explanation that the company must request consent for camera and mic access. Moreover, the company must also provide an explanation of their purposes for requesting camera access. India’s new privacy policy, on the other hand, has no legal purview regarding company’s usage of location data. Google’s Privacy Policy does not provide any clarity on these subjects.
In addition to this, location data is considered to be personal data under GDPR, with a huge chunk of the regulation being applicable to it. In the Google Chrome Privacy Policy, Google has a section on how it determines users locations and what it uses it for. However, while they specify that they won’t allow a site to access users’ locations without permission, they also state that they send data to Google Location Services to determine the user’s location. This data consists of information on nearby Wi-Fi routers, cell IDs of cell towers close to the user, and the user’s IP address.
Any user wishing to use Google Maps for a short stretch of navigation will now be asked to give permission to Google to access their location. Upon providing this permission, Google can access this data at any time due to their new domain structure, allowing them to geo-track the user any time they have a Google website open.
Along with Apple’s covert implementation of user tracking, this shows a disturbing trend in the tech sector, where companies are tracking users by operating in grey areas of regulations.
Read: Square the Circle: Apple’s Privacy Play Lands It in Trouble… Again
The more sinister side of it, however, is the fact that these changes were made without any notification to users, creating another treasure trove of unsupervised surveillance data for tech giants to monetise using advertising.
